KnowBe4 Scam Of The Week: Massive Google Doc Phishing Attack

Think Before You Click On Random Google Doc Invitation Links!

A very convincing Google Docs phishing scam raced through the internet last week. The scam spread almost as fast as a real computer worm, but it was driven by social engineering instead. It appears that a million people fell for it in less than an hour. It was so effective that even if you didn’t receive this email, you probably know someone who did.

The email appeared to be someone you know sharing a Google Doc with you. If you clicked the link in the message, it would have asked you for access permissions to your Gmail account, which the actual Google Docs links would not need.

If you had agreed to give permissions, it would have allowed a malicious third-party web app named “Google Docs” to access your email and address book. It would have spammed everyone in your contacts with the same link to that bogus Google Docs file. Your contacts, in turn, would email everyone in their contacts, and so on, like a human-powered computer worm. All of the emails included the same recipient email address of @mailinator.com. The actual recipient was blind carbon copied (BCC’ed) on it.

Below is an example of what the email looked like:

A person who is watching out for red flags in emails would have decided that this email was unexpected and suspicious. Were you expecting a Google Doc invitation from this person? Provided you were expecting something, is the name of the shared file relevant to what you were expecting? If not, hit that delete button, or report the message to your IT team.

If you’re unsure about whether it is safe or not, contact the person who sent it through a different method (other than email) to ensure it is legitimate. Be vigilant and keep yourself and your organization safe. Always Think Before You Click!